Merge pull request #96 from alkor/client-side-passwords

Support client-side encrypted passwords

Merge pull request #96 from alkor/client-side-passwords
Support client-side encrypted passwords
028a36d7 · ORD · deca8fa6 · fe544339 · 028a36d7 · 028a36d7
Commit 028a36d7 authored Jan 01, 2016 by ORD
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

opcua/client.py opcua/client.py +5 -1

opcua/uacrypto.py opcua/uacrypto.py +1 -1

No files found.
--- a/opcua/client.py
+++ b/opcua/client.py
@@ -357,7 +357,11 @@ class Client(object):
            params.UserIdentityToken.UserName = username 
            if self.server_url.password:
                pubkey = uacrypto.x509_from_der(self.security_policy.server_certificate).public_key()
-                data = uacrypto.encrypt_basic256(pubkey, bytes(password, "utf8"))
+                # see specs part 4, 7.36.3: if the token is encrypted, password
+                # shall be converted to UTF-8 and serialized with server nonce
+                etoken = ua.pack_bytes(bytes(password, "utf8") + self._server_nonce)
+                #data = uacrypto.encrypt_basic256(pubkey, etoken)
+                data = uacrypto.encrypt_rsa_oaep(pubkey, etoken)
                params.UserIdentityToken.Password = data
            params.UserIdentityToken.PolicyId = self.server_policy_id(ua.UserTokenType.UserName, b"username_basic256")
            params.UserIdentityToken.EncryptionAlgorithm = 'http://www.w3.org/2001/04/xmlenc#rsa-oaep'

--- a/opcua/uacrypto.py
+++ b/opcua/uacrypto.py
@@ -28,7 +28,7 @@ def x509_from_der(data):


 def x509_to_der(cert):
-    if not data:
+    if not cert:
        return b''
    return cert.public_bytes(serialization.Encoding.DER)